On July 1, Colorado will join four other states as its comprehensive privacy law, the Colorado Privacy Act (CPA), goes into full effect. The CPA imposes significant new obligations for businesses and nonprofit organizations that come under its umbrella, as well as the possibility of substantial fines for lack of compliance.  All companies should assess whether they are subject to the CPA and, if so, what they need to do to make sure their data program is compliant.

Who Must Comply

The CPA is intended to target businesses that traffic in large amounts of personal data. The CPA applies to any business or nonprofit that (1) “processes” (defined as collecting, using, selling, storing, disclosing, analyzing, deleting, or modifying) data for 100,000 or more Colorado residents annually or (2) benefit from selling data and processes data for 25,000 or more Colorado residents. As a result, any business with a database containing the requisite number of Colorado residents will likely be subject to the CPA.

What Must Companies Do

The CPA applies to the personal data (defined as data that is linked or reasonably linkable to an individual) of Colorado consumers. The CPA provides consumers with a host of new rights, including the right to access, correct, and in some cases delete their data held by a company. The CPA also provides consumers with the right to obtain a copy of their data and the right to opt out of certain uses of their data, including the right to opt-out of the sale of their data or using their data for “profiling.” The CPA further requires companies to obtain consent from consumers before they begin processing certain types of data that are highly sensitive. The CPA requires that businesses create a system to respond to consumer requests within 45 days.

The CPA mandates that subject businesses limit their collection and use of personal data to that which is reasonably necessary and compatible with the purpose disclosed to consumers and obtain consent from the consumers before processing personal data for a purpose not originally disclosed. This means that most subject businesses will need to review their privacy policies to ensure they are sufficiently disclosing all data being collected and how that data is used. Further, to the extent a subject business transfers any personal data to a vendor or other third party, the CPA mandates the agreement obligates that vendor to also comply with the CPA.

Finally, the CPA mandates that businesses maintain reasonable measures to keep personal data confidential. This mandate is accompanied by a requirement that entities conduct periodic data protection assessments to evaluate risks associated with certain processing activities and document the assessments.

Potential Ramifications

The ramifications for violating the CPA are significant, with each violation (measured per consumer and per transaction) punishable by civil penalties up to $20,000.

How to Prepare

The CPA goes into effect on July 1 but has a one-year lookback period, meaning that businesses who are subject need to implement a compliance program as soon as possible.  Businesses should consider the following when preparing to comply:

1. Know what data you have and where it resides. Understand what data you maintain on consumers and where that data is located.
2. Assess the necessity of each category of data. Assess whether each type of data collected is truly necessary to accomplish your organization’s goals and ditch any data that is extraneous or no longer useful.
3. Assess and adjust the security measures in place. Ensure that the appropriate security is in place for each type of data.
4. Document your efforts to assess your data. Ensure your efforts to assess your data and security measures, as well as the reasoning behind any decisions, is well-documented.
5. Update your privacy policy. Make sure your privacy policy is transparent as to how you are using the data and is easy to understand.
6. Update your vendor agreements. Review your vendor agreements to ensure vendors are obligated to comply with the CPA and submit to audit.
7. Put in place a process for responding to consumer requests and obtaining consent. Once consumers learn of their new rights, they will begin sending in requests to exercise them. Without a process in place, these requests will quickly become unmanageable.
8. Ensure that all relevant employees are trained on the privacy program. Otherwise, the procedures are nothing more than words on paper.

Given the ever-evolving nature of privacy laws and regulations, companies that process consumer data need to make sure their privacy programs are up to date to ensure they do not find themselves in a stand-off with regulators.  One of the best ways to protect against compliance issues is to speak with counsel experienced in data privacy issues.